UVM is going to take advantage of a grant opportunity that will support an intensive three week on-site effort to design an institution wide deployment of Active Directory. Consultants from Microsoft and from Competitive Computing will be on site for a series of design sessions between April 21st and May 9th, working with UVM IT staff from several units who currently rely on Active Directory Services.
What is "Active Directory"?
According to Bill O'Brien in ZDNet, "Microsoft's new Active Directory
service is one of the central components of Windows 2000. So central is it,
in fact, that maximizing your use of Windows 2000—and your business—depends
on your being able to understand what it is and how it works. "
"Active Directory acts as a focal point for [..] resources and services
[dispersed across a network]. It will permit users to log on to different
systems without needing a catalog of passwords and accounts to accommodate
them. In effect, while you'll probably only hear it described as Active Directory,
the word "Service" should be tacked on to the end of that name. It's a dynamic
construct, not just a static list. It contains both the directory structure
of the network and the ability to manipulate the items within it transparently—without
the need to know where they are in the network or how they're physically
connected. "
Does UVM use Active Directory today?
All Universities, especially research intensive universities like UVM, depend on a wide variety of computer and network technologies. Microsoft operating systems predominate on "desktop" and "laptop" systems in use. For CIT servers, UNIX is predominant, but Microsoft servers are in wide use as well, especially in the College of Medicine, and the School of Business. Units who have wanted or needed to use Active Directory have had to design and deploy their own instances of these services. So we have at least two "root" domains, "uvm" and "bsadnet". The College of Medicine domain "med.uvm" is a child domain under "uvm".
What's wrong with an institution wide design and deployment?
Bureaucracy. Why construct a system where I have to get someone else to
do something I used to be able to do myself?
If I team up with others, and I need to change something that might affect
their operation, do I need to get their permission?
What if I come to rely on a service provided by others, and the quality
of service is unacceptable.
Workload. I have it working now, and to change will eat up a lot of my time,
and it is all "back office" improvements my clients won't even see.
Why consider a institution wide design and deployment?
Efficiency and effectiveness. Two large "clerical" tasks in all IT operations
is "identity management" and "authorization management". Creating "accounts"
for people as they become eligible, and retiring those accounts when they
are no longer eligible. Making sure we do not confuse people who have the
same name. Helping people who forget their passwords.
So what's the current plan?
We are going to utilize this grant funded opportunity to design a institution wide AD deployment. This design process will provide us an opportunity to identify the opportunities and costs of deploying a cohesive AD design.
Long term?
We need to be able to automatically recognize when a person gains an affiliation
with the institution and automatically do what needs to be done to provide
them access to our network and computational resources, all the while insuring
that those who should not gain access, do not gain access. We need to do
this with minimal staff intervention, and maximum security and speed. Our
Active Directory deployment is an important part of our overall identity
management and access control scheme.